Yesterday, Office 365 suffered hours of service degradation, causing major email and business disruption. The media reported that Exchange Online Protection's filtering infrastructure could have been at fault.
Now imagine this: It’s early afternoon on a work day, and your company’s email server goes down. Every last mailbox is affected, unable to send or receive messages. This could cripple employee productivity and ultimately cost you customer relationships, partnerships, and financial loss. But, you have Microsoft Office 365, so this won’t happen to you, right? This is where you’re wrong. This line of thinking could have major implications not only productivity but on the security of your organization’s data. After all, this very scenario just happened.
Microsoft explained the issue in an update, saying, “We identified that a recent update to the environment caused an EOP process that analyzes email to perform below acceptable thresholds, causing email messages to queue from both inbound and outbound sources.”
Thanks for the explanation, guys. But this doesn’t mean that you’re off the hook. Ironically, yesterday was the last day in Microsoft’s financial year, and for most businesses, the last day of the quarter. If you suffered downtime during such a critical time in your fiscal year, how would this affect your business?
This isn’t the first time Office 365 has experienced an issue and it certainly won’t be the last. If you are an Office 365 customer and still don’t have a Plan B for continuity in the cloud, are you exposing your business to failure?
Office 365 delivers efficiencies around time and cost, in fact, we’re on it here at Mimecast. But, this is your business and you need to start to plan for the worst. IT teams build disaster recovery plans for on-premises systems. But you need the same level of planning in a cloud-first world. You could be missing out on valuable and attainable services built to keep email running in the cloud, and your business could suffer during the next outage.
Find out more about how we can help keep your business running during an Office 365 outage here.
June 29, 2016
The FBI has issued a stark warning about a rapidly-growing and downright brazen new email attack technique: simply asking employees for your critical data. Mimecast is urging organizations to think broadly about expanding new email security training to all employees.
Business Email Compromise (BEC), also known as whaling or CEO fraud, traditionally involves tricking members of the finance team to make payments to cybercriminals. But, while these attacks are still taking scalps, hackers are already evolving tactics to target others members within your organization. Financial teams are now getting wiser but many different departments within organizations have access to valuable data. HR, R&D, sales – anyone is potentially a target.
This new Public Service Announcement (PSA) highlighted there has been a 1,300% increase in these email attacks since January 2015. Since October 2013 hackers have attempted to send $3.1 billion (£2.2 billion) in 22,000 separate cases. The majority of cases have involved attempted wire-transfers to banks in China and Hong Kong. It’s worth noting that not all attempts were successful but the FBI said about one in four of the US victims did send money.
The PSA detailed the new scenario (Data Theft) involving ‘the receipt of fraudulent emails requesting either all Wage or Tax Statement (W-2) forms or a company list of Personally Identifiable Information (PII). This scenario does not always involve the request for a wire transfer; however, the business executive’s email is compromised, either spoofed or hacked’.
The data-focussed attacks also create a great deal of uncertainty around any potential cyber insurance coverage. Mimecast research recently found that just 43% of firms with cyber insurance are confident that their policies would pay out for whaling financial transactions. Putting a value on lost IP or data can be almost impossible.
Mimecast launched a new service in April designed to help stop these social-engineering attacks. Named Impersonation Protect and part of Mimecast Targeted Threat Protection, I explain how some of it works in the previous post. However, although technology can play an important role, it must be coupled with user awareness and robust processes.
To that end Mimecast email security experts have created the following guidelines to help you start planning today:
- Conduct a review of which employees have access to valuable IP and data across the organization
- Educate senior management, key staff and employees on this specific type of attack – make sure they know how it works and are extra vigilant
- Review data protection procedures and consider revising how data transfers to external third parties are authorized
- Update data loss prevention (DLP) keywords to identify and halt unwarranted data transfers
- Consider inbound email stationery that marks and alerts employees to emails that have originated outside of the corporate network
- Subscribe to domain name registration alerting services so you are alerted when domains are created that closely resemble your corporate domain
- Look into solutions specifically designed to extend email security to guard against targeted threats in email, including whaling attacks
We’ll continue to monitor how these threats evolve but would also love to hear from you if you spot a new attack in the wild. Get in touch with your local Mimecast representatives if you would like to hear learn more about how to protect your organization from these email security threats.
- Evolving Email Security Landscape Puts Cyber Insurance Policies at Risk
- Mimecast Wins at Protecting Firms of All Sizes Against Whaling
In a brief warning alert last week, US-CERT urged individuals and organizations to proactively secure systems against an increase in malware spread via macros. Mimecast is today offering new guidance to help organizations combat this threat.
Our own research also points to resurgence in this attack technique. We found that:
- 50% of firms have seen email attacks that use macros in attachments increase
- 44% saw increase in attacks with social engineering asking users to enable macros
- 67% are not confident employees would spot this combined attack
These findings came from a recent Mimecast security survey of 436 IT experts at organizations in the US, UK, South Africa and Australia in March 2016.
While most organizations choose to block executable attachments at the gateway by default, they must still allow files such Microsoft Office documents to pass freely if employees are to be productive. Attackers exploit this by weaponizing files in these common formats.
Here’s a recent targeted attack email we saw containing a weaponized attachment:
Mimecast Email Security Guide to Stop Malicious Macros
Here are five recommendations to help you stop weaponized attachments and macro-enabled malware:
- Ensure macros are not enabled by default across your Microsoft Office application estate, and that ‘Protected View’ is enabled at all times
- Consider disabling macros and VBA code in all but essential applications
- Ensure all email attachments are sandboxed by an appropriately advanced email security gateway. Remember non-sandboxing gateways are not able to recognize or signature macros, as the code is not a viral payload
- Consider a secure email gateway that offers the capability to neutralize weaponized attachments, or strip active code from all inbound Office documents
- Train and educate end users to the changing nature of threats in email. Ensure they understand the risks presented to their inboxes, and how to handle unexpected email and attachments. Ensure they understand the hacker’s tactics and how to recognize simple social engineering attacks
You can see more examples in my recent security advisory on macro threats.
Cyber insurance uptake is growing quickly but a lack of employee training on the latest email attacks is leaving organizations at great risk of breaking policy terms. These new social-engineering and impersonation attacks could leave leaving firms of all sizes at risk of taking the full financial brunt of crime.
Waves of high-profile breaches and new breach notification legislation is setting the scene for a huge growth in cyber insurance take-up. But while insurers often pay for clean-up fees after a breach, it is important that organizations check that their policies protect them if an employee is tricked into sending a large amount of money to a fraudulent account.
Whaling (CEO fraud) attacks have been growing rapidly in volume and in scale. Mimecast revealed in April that 67% of firms have seen an increase. Then only last month, Austrian aerospace manufacturer FACC sacked its CEO after his apparent mistakes led to the firm being defrauded out of €50 million ($55.8m) in a whaling attack.
Attacks where employees are tricked into sending personal data or intellectual property are even less likely to be fully covered. For example, how would an insurer decide compensation if a set of W-2 tax forms were stolen compared to the secret plans for a new and theoretical product? What about hacks that compromise the integrity of data rather than stealing it? Can insurance ever really fully provide coverage for these data-specific use cases?
One other concern for insurers is that it can be difficult to separate real crime from potential insurance fraud.
As part of Mimecast’s research into cyber insurance policies, Mimecast questioned 436 IT experts at organizations in the US, UK, South Africa and Australia. The research revealed that:
- 45% of firms with cyber insurance are unsure if their policy is up-to-date for covering new cyber social engineering attacks, and only 10% believe it is completely up-to-date
- 43% of firms with cyber insurance are confident that their policies would pay out for whaling financial transactions
- 64% of firms don’t have any cyber insurance at all
One example of this growing risk is the legal proceeding between Texas-based AFGlobal Corp and Federal Insurance Co., a division of insurance giant Chubb Group. AFGlobal maintains that the policy it held provided coverage for both computer fraud and funds transfer fraud, but insurer denied a claim when scammers impersonating AFGlobal’s CEO convinced the company’s accountant to wire $480,000 to a bank in China.
The rise of whaling has created an attack climate where many insured organizations may not be protected from fraudulent transactions because they fall outside of the coverage scope of when their policies were originally signed.
Mimecast research also found that:
- 58% of organizations have seen an increase in untargeted phishing emails
- 65% have seen targeted phishing attacks grow
- 50% said they have seen social engineering attacks that utilize malicious macros in attachments increase
A survey of risk managers by The Hartford Steam Boiler Inspection and Insurance Co. (HSB) highlighted the primary reasons for not buying coverage. Perceived complexity (44 percent), lack of a sufficient threat (34 percent) and cost (22 percent) were cited.
With the cybersecurity landscape constantly evolving, cyber insurers will have great difficulty keeping their coverage up-to-date. CEO fraud is a prime example how quickly an attack can grow morph. Tomorrow’s threats will almost always comes as a surprise.
Mimecast is recommending that all organisations review their cyber insurance policies regularly. A comprehensive cyber resilience strategy is only effective alongside regular employee training on the latest threats combined with appropriate technology fail-safes.
*Mimecast will be exhibiting at Infosecurity Europe, 7-9 June, at stand #G100. Mimecast security experts will discuss the top email attack strategies being used against millions of organizations around the world today.